Patch to fix samba 3.5.15 domain security

John Wehle john at feith.com
Fri May 4 17:02:00 MDT 2012 

Consider the following working samba 3.3.9 configuration:

  machine1 smb.conf                       machine2 smb.conf
  [global]                                [global]
   ...                                    ...
   domain master = yes                    domain master = no
   local master = yes                     local master = no
   preferred master = yes                 preferred master = no
   os level = 65                          os level = 65
   workgroup = WORKGROUP                  workgroup = WORKGROUP
   security = user                        security = domain
   domain logons = yes                    password server = machine1
   encrypt passwords = yes
   passdb backend = smbpasswd

A client attempting to access a resource on machine2 will cause
machine2 to contact machine1 in order to authenticate the user.
This allows all the passwords to be maintained in one place.

Everything worked fine with both machines running 3.3.9.

Everything worked fine after upgrading machine1 from 3.3.9 to 3.5.15.
Clients could access resources on machine1 by entering:

  Username
  Password

Once machine2 was upgraded to from 3.3.9 to 3.5.15 clients were
no longer able to access resources on machine2 by entering:

   Username
   Password

the log showed:

  auth/auth_util.c:211(make_user_info_map)
    Mapping user [CLIENT]\[user1] from workstation [CLIENT]
  auth/auth_util.c:232(make_user_info_map)
    Mapped domain from [CLIENT] to [MACHINE2] for user [user1] from
    workstation [CLIENT]
  auth/auth.c:216(check_ntlm_password)
    check_ntlm_password:  Checking password for unmapped user
    [CLIENT]\[user1]@[CLIENT] with the new password interface
  auth/auth.c:219(check_ntlm_password)
    check_ntlm_password:  mapped user is: [MACHINE2]\[user1]@[CLIENT]
  auth/auth_sam.c:399(check_sam_security)
    check_sam_security: Couldn't find user 'user1' in passdb.
  auth/auth.c:268(check_ntlm_password)
    check_ntlm_password: sam authentication for user [user1] FAILED
    with error NT_STATUS_NO_SUCH_USER

However they can access machine2 resources by doing:

  WORKGROUP\Username
  Password

Looking at the make_user_info_map 3.3.9 code in auth_util.c we see:

  if ( *client_domain )
    domain = client_domain;
   else
    domain = lp_workgroup();

In the 3.5.15 code we:

  domain = client_domain;

The enclosed patch restores the old behaviour when using domain security.

-- John Wehle
------------------8<------------------------8<------------------------
--- source3/auth/auth_util.c.ORIGINAL	2012-04-27 15:10:36.000000000 -0400
+++ source3/auth/auth_util.c	2012-05-04 17:44:53.653291396 -0400
@@ -210,7 +210,10 @@ NTSTATUS make_user_info_map(auth_usersup
 	DEBUG(5, ("Mapping user [%s]\\[%s] from workstation [%s]\n",
 		 client_domain, smb_name, wksta_name));
 
-	domain = client_domain;
+	if (lp_security() != SEC_DOMAIN)
+		domain = client_domain;
+	else
+		domain = lp_workgroup();
 
 	/* If you connect to a Windows domain member using a bogus domain name,
 	 * the Windows box will map the BOGUS\user to SAMNAME\user.  Thus, if
-------------------------------------------------------------------------
|   Feith Systems  |   Voice: 1-215-646-8000  |  Email: john at feith.com  |
|    John Wehle    |     Fax: 1-215-540-5495  |                         |
-------------------------------------------------------------------------

More information about the samba-technical mailing list